Industry Experts Challenge IIA’s Third-Party Requirements Draft: Advocating for Flexibility & Risk-Based Approaches

Key Takeaways

• Standardized Yet Rigid: The IIA’s draft offers a structured framework for auditing third-party risks but lacks flexibility to address the unique risks posed by different vendors.
• Full Lifecycle Management: Auditors are encouraged to manage third-party relationships from selection to offboarding, focusing on critical risks such as operational, cybersecurity, and financial threats.
• Need for Flexibility: Expert Norman Marks critiques the one-size-fits-all approach and advocates for tailored, risk-based audits that align with the specific risks of each third-party vendor.
• Professional Judgment Matters: Marks emphasizes the importance of professional judgment in auditing, moving beyond checklist-based approaches to assess unique organizational risks.
• Adapting to Emerging Risks: Marks advocates for a more proactive, real-time auditing approach, particularly in response to new risks like AI, rather than relying on outdated reports.

Deep Dive

The Institute of Internal Auditors (IIA) recently released a Public Consultation Draft for its Third-Party Topical Requirement. At first glance, it may seem like a technical set of guidelines, but the stakes are high. As businesses increasingly rely on third-party relationships—whether with vendors, contractors, consultants, or others—internal auditors face growing challenges in managing these complex connections. The IIA’s draft aims to offer a more standardized, comprehensive approach to assessing and managing the risks tied to external partnerships. For organizations that regularly engage with third parties, the draft provides a clear framework designed to ensure that no critical risks go unnoticed.

However, as businesses continue to navigate an increasingly dynamic and fast-paced environment, questions arise over whether a one-size-fits-all approach really the right solution for today’s diverse and rapidly changing risk landscape?

A Standardized Approach with Limitations

The Third-Party Topical Requirement sets out to provide internal auditors with a consistent method for evaluating third-party relationships. Think of it as a baseline—clear expectations and standards that auditors can rely on when assessing external partnerships. For many organizations, particularly those with frequent third-party engagements, this framework promises to deliver thorough and reliable audits, ensuring that key risks are identified and managed effectively.

One key aspect of the framework is its emphasis on working within the context of the Global Internal Audit Standards. Auditors are required to document their assessments and justify any deviations from the guidelines when they apply to specific third-party relationships. This emphasis on accountability is intended to make sure that nothing is overlooked in the risk assessment process.

But while this comprehensive approach covers all the bases, it may not fully address the nuances and complexities of today’s diverse business risks. As we’ll see, the draft's rigid, one-size-fits-all methodology may leave little room for auditors to adapt to the unique risk profiles of different third-party vendors.

Managing the Entire Third-Party Lifecycle

One of the draft’s strengths is its focus on managing the entire third-party lifecycle. It encourages auditors to monitor not just the initial stages of third-party relationships but the ongoing journey—from selection and contracting to onboarding, performance monitoring, and offboarding. This broader scope aims to help auditors assess risks from all angles.

1. Selection: Auditors ensure that organizations choose partners aligned with their business objectives and risk profiles, emphasizing clear criteria for vendor selection.
2. Contracting: Contracts must address compliance, performance metrics, and risk mitigation strategies, with auditors verifying these elements to formalize the partnership.
3. Onboarding: Auditors examine how well third parties are integrated into the organization’s compliance systems, governance structures, and expectations.
4. Monitoring: Continuous oversight of third-party performance and the timely identification of emerging risks are crucial for maintaining alignment with organizational goals.
5. Offboarding: When the relationship ends, auditors must ensure that sensitive data is protected, access is revoked, and obligations are met securely.

Spotting the Risks: What Could Go Wrong?

The draft highlights several risk categories that auditors need to assess during their evaluations. These aren’t just theoretical risks but real threats that could significantly impact an organization’s operations, including:

• Operational Risks: What if a third party fails to meet deadlines or deliver on performance expectations? Disruptions from a vendor’s performance could derail business operations, so auditors must ensure that contingency plans are in place.
• Cybersecurity Risks: With many third parties handling sensitive data, auditors must assess whether vendors have adequate cybersecurity measures to prevent data breaches or other security risks.
• Financial Risks: Financial instability in a third party could leave the organization vulnerable. Auditors must ensure third-party vendors are financially stable and that backup plans are in place.
• Compliance Risks: Third-party vendors must keep up with evolving legal and regulatory frameworks. Auditors will ensure that these partners remain compliant with applicable laws.
• Legal Risks: Contract disputes or breaches could lead to costly litigation. Auditors must verify that contracts offer adequate legal protection.
• Reputational Risks: A third party’s failure or unethical behavior could harm an organization’s reputation. Auditors need to assess whether the third party poses any reputational risks.

Governance is central to this draft. Auditors are tasked with ensuring that organizations have formal, well-defined processes for managing third-party relationships. This includes verifying that the right people oversee third-party partnerships and that accountability is maintained at every level.

Auditors are responsible for confirming that policies align with legal and regulatory requirements and that these policies are regularly updated. They also assess control processes to ensure proper due diligence is conducted during vendor selection, contracts are reviewed thoroughly, and ongoing monitoring takes place. If any third-party vendor begins to pose risks, auditors must ensure that corrective actions are taken.

The Need for Flexibility

While the IIA’s draft offers a structured framework for auditing third-party risks, some industry experts, including Norman Marks, see the approach as too rigid for today’s dynamic business environment. Marks, a long-time advocate for risk-based auditing, expressed concerns that the draft fails to account for the diverse risk profiles of different third-party relationships.

“Not all third-party relationships are the same,” Marks explained during a conversation with the GRC Report. “The risks associated with a cybersecurity service provider are vastly different from those tied to a raw materials supplier or an external law firm.”

Despite these differences, the draft mandates the same auditing approach for all types of third-party vendors, which Marks views as problematic. Marks argues that risk-based auditing—focusing on the most significant risks and aligning audit resources accordingly—better serves modern organizations.

“Auditing is not just about ticking boxes,” Marks states. “It’s about understanding the business and the unique risks that could hurt the organization.”

Marks believes the draft’s rigid approach misses an opportunity for auditors to apply professional judgment. For instance, auditing a law firm offering legal services should not follow the same process as auditing a vendor providing raw materials, as the risks involved are fundamentally different. According to Marks, this "one-size-fits-all" auditing process is a poor fit for today’s complex and diverse risk landscape.

The draft’s failure to consider emerging risks, such as those stemming from artificial intelligence (AI), is another area where Marks sees room for improvement. He advocates for a more proactive approach to auditing, where auditors are embedded within business operations to provide continuous oversight rather than relying on outdated, static audit reports.

The Role of AI and Proactive Auditing

As technology—especially AI—rapidly transforms industries, Marks believes auditors must adopt a more agile, forward-thinking approach. He points to companies like Apple, where IT auditors were embedded within teams to provide continuous assurance as technology projects were being rolled out.

“This shift toward continuous assurance is the future of auditing,” Marks emphasizes. “Auditors should work in real-time to understand and monitor risks as they emerge, not just wait for something to go wrong and report on it later.”

Marks also raised concerns about the IIA’s governance structure, arguing that it lacks sufficient oversight. He pointed out that the IIA board’s large size and the formality of its nomination process could be limiting fresh perspectives and innovation.

“I think the IIA is headed in the wrong direction with this guidance,” Marks said. “It reflects a failure to challenge the status quo and push the profession forward.”

A Call for Change

Marks is not simply criticizing the draft but is hoping to inspire a broader conversation about the future of internal auditing.

“The world of auditing is changing,” he says. “We need to be agile, forward-looking, and, most importantly, we need to use our professional judgment.”

As the IIA’s consultation period continues, Marks' critique is not just a response to a single document but a call for a fundamental shift in how internal audits are approached. If the IIA and other standard-setting bodies can incorporate more flexibility, adaptability, and professional judgment into their frameworks, internal auditing can evolve to meet the needs of modern businesses.

The future of auditing, according to Marks, isn’t about following rigid checklists, but it’s about focusing on what truly matters, using professional judgment, and being agile in an increasingly complex risk landscape. If the IIA can embrace this, internal auditors will be better equipped to tackle the challenges of tomorrow.

The GRC Report is your premier destination for the latest in governance, risk, and compliance news. As your reliable source for comprehensive coverage, we ensure you stay informed and ready to navigate the dynamic landscape of GRC. Beyond being a news source, the GRC Report represents a thriving community of professionals who, like you, are dedicated to GRC excellence. Explore our insightful articles and breaking news, and actively participate in the conversation to enhance your GRC journey.